And this is why I’ve been saying to uninstall Java, rather than disable it

Apple just uncovered and fixed a vulnerability that allowed an exploit to re-enable Java in a browser when it’s been disabled, which then of course allows a litany of exploits.

There are two lessons here. Macintoshes are hackable just like any other device, and latent software can be re-enabled. If you don’t think someone’s trying to do the same thing in Windows and Linux, you’re not paying attention.

This is why I get irritated when I see Macintosh pundits say, “just disable Java, you’ll be OK.” Not if you think like an attacker, you won’t. The attackers don’t use any rules of engagement–changing a system configuration in order to enable more exploits is par for the course. A sophisticated attack will exploit one weakness, then another, then another, to get what they want.

Disabling unused functionality is better than leaving it enabled, but if it’s possible to remove the capability completely, that’s a better approach. It’s called limiting your attack footprint. That’s why my web server doesn’t even have a GUI. I don’t need a GUI because I rarely interact with the machine directly, and when I do, I can do everything I need to do from a command line. And then that’s one less thing that can possibly be used against me.

It’s one thing if you need Java. Sure, you might. But then you need to take more precautions and pay a lot more attention to security bulletins if you’re running Java in your environment.

If you don’t need it, then uninstall it and see if you even notice it’s gone. If you don’t know you need it, there’s an increasingly good chance you don’t.